Hi从以下查询中获得以下数据。。(index=abc或index=def(|rex字段=index";(?<Local_Market>[^cita]\w.*?(_"|图表计数(按阻止(,Local_Market
阻断dub大鼠mil0 10 20 212009年2月1日2 9 2 1
现在我想要的数据如下
大鼠总剂量(sumof 0和sumof 2(dub mil总剂量(sumof 1((10+20+21+9+2+1(=63 10 20 21(02+03+09(=14
这个问题的格式可以更好,但我认为您想要的是addcoltotals命令。
这个随处运行的例子很难看,但我相信它会产生所需的结果。
| makeresults
| eval _raw="blocked dub rat mil
0 10 20 21
1 02 03 09
2 9 2 1"
| multikv forceheader=1
| fields - _time _raw linecount
```Skip the above - it just creates test data```
```Compute the total_bolocked field for blocked=0 and blocked=2```
| eval total_bolocked=if(blocked!=1,dub+mil+rat,0)
```Compute the total_found field for blocked=1```
| eval total_found=if(blocked=1, dub+mil+rat,0)
```Add up the total_bolocked fields. This will include blocked=1, but we'll fix that below```
| eventstats sum(total_bolocked) as total_bolocked
```Set total_bolocked=0 if blocked is 1```
| eval total_bolocked=if(blocked=1,0, total_bolocked)